|
Intel Management Engine vulnerability SA-00086 |
Post Reply 
|
Page <1234 8> |
| Author | |||||||||||||||||||||||||||||||
flashback8 
Newbie 
Joined: 24 Nov 2017 Status: Offline Points: 9 |
 Post Options
 Thanks(0)
 Quote Reply
 Posted: 01 Dec 2017 at 3:24am |
||||||||||||||||||||||||||||||
Thanks for the suggestion. Didn't help. |
|||||||||||||||||||||||||||||||
 |
|||||||||||||||||||||||||||||||
|
rico
Newbie
Joined: 23 Nov 2017 Status: Offline Points: 30 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 Nov 2017 at 3:59pm |
||||||||||||||||||||||||||||||
|
Driver, not firmware. v11.7.0.1045 is the version of the "Intel Management Engine Interface" I have installed in Device Manager - System devices.
|
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
flashback8
Newbie
Joined: 24 Nov 2017 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 Nov 2017 at 2:21pm |
||||||||||||||||||||||||||||||
Can't do it. Intel won't let you downgrade ME firmware. ("Error 8805" and then something about the SVN (Security Version Number) preventing it.) |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
rico
Newbie
Joined: 23 Nov 2017 Status: Offline Points: 30 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 Nov 2017 at 6:45am |
||||||||||||||||||||||||||||||
|
Can't help you there as I've a Z170 board but if you're up for a minor adventure I'd suggest you try the latest ME drivers from here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html
The so-called "11.7.4.3314 drivers" you mention are actually v11.7.0.1032. You can see it yourself in mup.xml in the ME(v11.7.4.3314_SW).zip archive: <driverversion>11.7.0.1032</driverversion> I have a Z170 board and successfully installed v11.7.0.1045 which is actually called "Intel MEI Driver v11.7.0.1050 MEI-Only Installer" in the link above. Maybe a driver update will sort you out? |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
flashback8
Newbie
Joined: 24 Nov 2017 Status: Offline Points: 9 |
Post Options
Thanks(0)
Quote Reply
Posted: 30 Nov 2017 at 5:22am |
||||||||||||||||||||||||||||||
|
Hi everyone. I still haven't been able to resolve my HDCP 2.2 issue. As expected, nobody's really telling me anything useful. For now, if playback of Ultra HD discs is important, please don't apply ASRock's patch until this gets sorted out.
That said, would somebody with the Z370 Gaming-ITX/ac board be able to do me a big favor? If you haven't updated the ME firmware yet, could you download and run the MEInfo tool (https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmware-amp-System-Tools.html) and post the results here? For an apples-to-apples comparison, you'll need to have the 11.7.4.3314 drivers installed from ASRock's support page for the board (https://www.asrock.com/MB/Intel/Fatal1ty%20Z370%20Gaming-ITXac/index.us.asp#Download), you'll also need to have SGX enabled ("Enabled," not "Software Controlled" or whatever) in the UEFI, and it'd help to have the 1.11 UEFI installed. For reference, I've pasted below my results after the patch has been applied. Thanks. ------------ Intel(R) MEInfo Version: 11.6.25.1229 Copyright(C) 2005 - 2017, Intel Corporation. All rights reserved.
Intel(R) ME code versions:
BIOS Version L1.11 MEBx Version 0.0.0.0000 GbE Version 0.2 Vendor ID 8086 PCH Version 0 FW Version 11.8.50.3425 H LMS Version 11.7.0.1037 MEI Driver Version 11.7.0.1032 Wireless Hardware Version 2.1.77 Wireless Driver Version 20.10.2.2
FW Capabilities 0x31101140
Intel(R) Capability Licensing Service - PRESENT/ENABLED Protect Audio Video Path - PRESENT/ENABLED Intel(R) Dynamic Application Loader - PRESENT/ENABLED Intel(R) Platform Trust Technology - PRESENT/DISABLED
TLS Disabled Last ME reset reason Firmware reset Local FWUpdate Enabled BIOS Config Lock Enabled GbE Config Lock Enabled Host Read Access to ME Enabled Host Write Access to ME Disabled Host Read Access to EC Disabled Host Write Access to EC Disabled SPI Flash ID 1 C22018 SPI Flash ID 2 Unknown BIOS boot State Post Boot OEM ID 00000000-0000-0000-0000-000000000000 Capability Licensing Service Enabled OEM Tag 0x00000000 Slot 1 Board Manufacturer 0x00000000 Slot 2 System Assembler 0x00000000 Slot 3 Reserved 0x00000000 M3 Autotest Disabled C-link Status Disabled Independent Firmware Recovery Disabled EPID Group ID 0xFFB LSPCON Ports None 5K Ports None OEM Public Key Hash FPF 0000000000000000000000000000000000000000000000000000000000000000 OEM Public Key Hash ME 0000000000000000000000000000000000000000000000000000000000000000 ACM SVN FPF 0x0 KM SVN FPF 0x0 BSMM SVN FPF &nbs |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
romf
Newbie
Joined: 23 Nov 2017 Status: Offline Points: 3 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 Nov 2017 at 10:04am |
||||||||||||||||||||||||||||||
|
Bad luck for me, i just tried the USB bootable disk flashing method but with no success.
I got this message : (IME driver version 11.6.0.1026 already installed on my pc) ERROR 8705 : Firmware update not initiated due to version mismatch.. Oh well, i will try the windows method another time maybe, i don't feel like flashing my BIOS, reset the CMOS right now..
 |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
rico
Newbie
Joined: 23 Nov 2017 Status: Offline Points: 30 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 Nov 2017 at 5:12am |
||||||||||||||||||||||||||||||
|
After my earlier woes with this patch I raised the issue with ASRock Technical Support. They suggested clearing my CMOS as a remedy but seeing as I'd already sorted myself out by re-flashing my BIOS I decided to try again this evening. This time I used the DOS flasher on a bootable USB drive and all worked perfectly - no CMOS clearing required.
tldr: Windows flasher bad. DOS flasher good. |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
rico
Newbie
Joined: 23 Nov 2017 Status: Offline Points: 30 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 Nov 2017 at 4:42am |
||||||||||||||||||||||||||||||
Link is not dead - I can see it fine: ctrl-c, ctrl-v
Advisory note: Intel Q3'17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update
Reference: Intel security vulnerabilities (INTEL-SA-00086)
In response to issues identified by external
researchers, Intel has performed an in-depth comprehensive security
review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted. ASRock and Intel highly recommend that all customers install updated firmware and Intel® Capability License Service on impacted platforms. For more detailed information please refer to the Intel web site: https://security-center.intel.com/ Affected ASRock Products:
Intel 100, 200, 300
ME1 ME2 If your model Intel 100/200/300 series but not in the following list, please download ME1 package If your model is Q170 series or in the following list, please download ME2 package
|
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
daddyo
Newbie
Joined: 30 Oct 2017 Status: Offline Points: 54 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 Nov 2017 at 3:54am |
||||||||||||||||||||||||||||||
This link is dead. Can't reach it? https://www.asrock.com/microsite/2017IntelFirmware/
Edited by daddyo - 28 Nov 2017 at 3:56am |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
daddyo
Newbie
Joined: 30 Oct 2017 Status: Offline Points: 54 |
Post Options
Thanks(0)
Quote Reply
Posted: 28 Nov 2017 at 3:02am |
||||||||||||||||||||||||||||||
I'm waiting a bit longer to cast my vote on this as well. Security is not to be taken lightly. The use of official servers for patches and communication is a cornerstone principle. And by the way, I don't see anyone getting "angry" at Asrock on this thread. My posts are out of concern with this issue and with constructive intent. People chiming in in their own way are justified to do so when Asrock hasn't issued a clear response yet. Most people are ok with waiting for a patch as long as they know it's coming. It is easy to interpret Asrock's silence + published patches for 300 series motherboards as ignoring the older models that are affected. So, hence the concern. A simple notice on the website saying that further fixes are underway would suffice. While it appears there is a microsite addressing the issue, I only found it by following this forum thread, and not on Asrock's main support page. Perhaps the communications should be a bit more streamlined? Again, this raises the valid concern that someone out there could create a fake patching site to further exploit the situation. I'm only trying to provide constructive criticism here.
Edited by daddyo - 28 Nov 2017 at 4:01am |
|||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
|
Post Reply
|
Page <1234 8> |
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options
rico wrote: